OIDC Module: Adding claims to ID Token

[huwi...@champlain.edu]

I'm using the OIDC module (v6) and encountering an issue with an OIDC client that expects user claims to be included in the ID token itself. 

Current behavior:

When scopes openid, email, and profile are requested, the ID token only contains standard claims: sub, iss, aud, exp, iat, at_hash, sid

User claims (email, given_name, family_name, name) are only available via the UserInfo endpoint.

Question: 

Is there a way to configure the OIDC module to include scope-based claims in the ID token, or are they only available via UserInfo? I've tried creating a hook file at modules/oidc/hooks/id_token.claims.php but it doesn't seem to be called. Any guidance would be appreciated. This is the first OIDC client I'm setting up that requires claims in the ID token rather than fetching them from UserInfo.

[cic...@gmail.com]

Hi,

we are aware of this requirement for some clients and there is an opened issue for it: https://github.com/simplesamlphp/simplesamlphp-module-oidc/issues/247

It is planned for v7, however with no due date.

Best regards

Marko I.

[huwi...@champlain.edu]

Hi Marko,

Thanks for the quick reply and for confirming.  I’ll keep an eye on issue #247 and news on v7 release date.

Appreciate all the work your team puts into maintaining SSP and the OIDC module!

Best,
Matt